Friday, 28 January 2011

Migrating to Windows 7 from XP with OS Specific Desktop Policy

This article is mainly focused on the issues which come with the migration for the user experience, as opposed to the task of getting new hardware or upgrading older hardware and installing the operating system on it. There are challenges which come with differences in the operating systems and the configuration settings that apply to them. This is especially true if you are using Group Policy or Registry settings to lock down desktops for certain classes of users, as would be quite common in a school environment with students for example.

Whilst it is tempting to think some of the differences can be dealt with by using loopback policy to apply OS specific settings only to machines which have a specific OS, this brings other complications, mainly when a user with administrative rights logs on to a computer and finds that the same lockdowns are applied to their account. I would highly recommend from experience that loopback policy for desktop experience settings is only used as a stopgap measure, until such a time as all of your computers, or as much of them as possible, can be transitioned to as much commonality in these settings as possible, so that the majority of them can be taken out of loopback policies and put back into the per-user section of the policy tree where they don’t affect all your users the same.

For example, we used to redirect the Start menu in Windows XP so that it displayed a pre configured set of icons. In fact, it was redirected to the All Users Start Menu, which in turn was configured with exactly the set of icons we wanted the user to have access to. This immediately causes problems in Windows 7 because the equivalent is stored in a physically different path. I decided ultimately to stop using this redirection completely in Windows 7. This means at least for the moment that I have to find a way of differentiating between Windows 7 and Windows XP computers. In the short term I can immediately do this using a loopback policy. However that will also limit me if I log on to one of these computers as an administrative user because that policy ends up being applied to every user the same. In the longer term therefore I must be able to take as many as possible of the policy settings out of loopback and into a user specific policy.

If I have a browse through my Windows 7 policy file then there aren’t that many settings that are Windows 7 specific. So it wouldn’t really take long to weed out the ones that only apply to 7 and loopback only these specific settings, with everything else into a user specific policy, and then make life simpler for people administering these computers. I wouldn’t say it will totally fix the problems and it is possible we would look at other means of making these computers administrable. One option is to set up local administrative accounts as these are not subjected to the limitations of group policy.